Google doubles Chrome’s top bug bounty to $100k

Google has doubled its top security bug bounty under its Chrome Reward Program to $100,000 but it’s doubtful anyone will actually claim the prize.

Google runs the program to encourage security researchers across the world to help secure its software by finding bugs and, importantly, reporting them to Google rather than selling them to brokers who might on-sell the knowledge to buyers who use them for offensive purposes.

Last year alone Google paid researchers more than $2 million, amounting to roughly a third of the $6 million its paid since launching the its bug bounty program six years ago.

Still, the search firm has acknowledges that “dark corners of the Internet” may pay more for bugs than it does, but argues that these shady offers come with strings attached, such as the fact the exploit could be used to harm people and that researchers may be contractually obliged to never publicly discuss the bug. Google on the other hand offers a decent wad of cash and public acknowledgement.

Google offers up to $15,000 for bug reports affecting its Chrome browser, but it also has a higher tier or a “standing reward” for some bugs that affect Chrome hardware. It’s this reward that Google has doubled today.

Google last year introduced a $50,000 standing reward that sought reports of remotely exploitable vulnerabilities on Chromebooks and its business conference device, Chromebox.

The rules of the standing award have not changed but as of Monday its reward page has been updated with the new figure: “We have a standing $100,000 reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).”

“Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google announced in a blog post.

Google has also introduced is new category called “Download Protection Bypass”, for bugs that allow an attacker to bypass download protection features of Chrome’s Safe Browsing technology. Safe Browsing protects Chrome users against malware and potentially unwanted applications.

Read more: Security, privacy dominate businesses' cloud concerns as technical worries fade

The category adds a new bottom tier to the rewards program and Google is offering up to $1,000 for reports affecting the feature.


Last chance to register for the CSO Perspectives Roadshow on March 22nd.

  • Hear from International keynote speakers:Robert Lentz, and Graham Cluley,
  • A Security Awareness stream
  • 18 different interactive Security Exchange discussions

Join CSO for a day of networking with your peers, engaging and discussing topics relevant to you, hearing from some of the top worldwide IT Security leaders in the market and attending the exhibition floor to win some amazing prizes.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags security bugexploitable vulnerabilitiesBug bountyGooglesecuritychromebookIoTchromeCSO Australiachromebox

More about CSOGoogleIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place